Free OSINT Investigation Tools

Look up IP addresses, search usernames across 500+ sites, decode hidden timestamps, and analyze email headers. Everything runs in your browser — no data leaves your device.

build Freelock Client-Sideaccount_circle Free Account

travel_explore

IP Lookup

Look up any IP address and get geolocation details, ISP information, and network data — all in a digitally signed, court-ready PDF report.

Look Up an IP Address arrow_forward dns

Domain to IP Lookup

Resolve DNS records, score domain security, detect technology stacks, audit cookies, and analyze email deliverability. Includes multi-resolver comparison, TLS analysis, and WHOIS/RDAP.

Look Up a Domain arrow_forward person_search

Username Search

Search a username across 500+ websites and social media platforms simultaneously. Powered by the WhatsMyName project and Forensic OSINT technology.

Search a Username arrow_forward schedule

OSINT Timestamp Decoder

Decode hidden timestamps from web pages, URLs, and API responses. Supports Unix, Chrome, Twitter Snowflake, Google EI, and more — with OSINT-focused analysis.

Decode Timestamps arrow_forward mark_email_read

Email Header Analyzer

Detect email spoofing, trace sender routes, and analyze SPF/DKIM/DMARC authentication. Drag & drop .eml files or paste headers — extract IPs, export IOCs, and investigate senders. 100% client-side.

Analyze Email Headers arrow_forward image_search

Forensic Image EXIF Reader

Extract EXIF, GPS coordinates, camera serial numbers, and edit history from photos. Detect anomalies, export to CSV/KML, and view metadata forensically. 100% client-side.

Read Image EXIF Data arrow_forward

fingerprint

Forensic Hash Calculator Forensic Notes

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for files directly in your browser. Verify evidence integrity, detect tampering, and produce court-ready hash reports — no file uploads required.

arrow_forward

lock 100% Client-Side |cloud_off No Data Sent to Server |account_circle Free Account |verified Used by OSINT Professionals

Why Browser-Based OSINT Tools Matter

The tools you use become part of your methodology. Where your data gets processed matters as much as what you find.

verified_user Evidence Integrity

When data is processed locally, it never touches a third-party server. Email headers, IP addresses, and timestamps stay on your device. If the question ever comes up in a legal setting — "who else had access to this data?" — the answer is nobody.

That matters. Chain-of-custody challenges often start with "but you uploaded it to some website," and client-side processing cuts that argument off.

security Operational Security

Server-based tools log every query. Your IP, your search patterns, your targets — all of it sits on someone else's infrastructure, available to be subpoenaed, breached, or sold.

If you are working a fraud case, a threat intel engagement, or anything sensitive, that is an unacceptable exposure. Browser-based tools remove the server from the equation entirely.

devices Accessibility

No installation, no dependencies, no compatibility headaches. Open the page and start working. This matters when you are on a locked-down corporate laptop where installing software requires IT approval, or when you just need a quick answer and do not want to set up a tool chain first.

bolt Speed and Simplicity

Paste your data, click a button, get results. No API keys to configure and no CLI syntax to learn. When you are triaging a pile of leads during incident response, that directness saves real time.

A graphical interface also makes it harder to fat-finger a command or misread output, which is easy to do with text-based tools at 2am.

Tool Categories for Digital Investigations

Each tool handles a different type of evidence. Here is where they fit in a typical investigation.

travel_explore

Network Intelligence — IP Lookup

Every connection to the internet involves an IP address. A lookup can tell you the geographic region, the ISP, whether the address belongs to a hosting provider, and whether it is associated with a VPN or proxy service.

The IP Lookup tool outputs digitally signed PDF reports that document the data sources, the timestamp of the query, and the full results. That turns a quick lookup into something you can actually submit as evidence — not just a screenshot of some website.

It also flags VPN endpoints, proxies, and Tor exit nodes, which prevents the common mistake of assuming an IP address reflects someone's actual location when it does not.

person_search

Identity Attribution — Username Search

People reuse usernames. The same handle on Twitter often shows up on Reddit, GitHub, gaming platforms, and niche forums. That cross-platform overlap is one of the fastest ways to map out someone's online activity.

The Username Search tool checks a username against over 500 sites at once using the WhatsMyName project, a community-maintained database of enumeration targets. Results link directly to discovered profiles so you can start pivoting immediately.

This is especially useful for fraud investigations and threat actor attribution, where you need to establish how broad someone's online presence actually is.

schedule

Temporal Analysis — Timestamp Decoder

Timestamps hide in URLs, API responses, social media post IDs, and file metadata. The problem is that they are usually encoded in formats humans cannot read — Unix epochs, Windows FILETIME, Twitter Snowflake IDs, Chrome timestamps, and others that each store time differently.

The OSINT Timestamp Decoder extracts and decodes these from pasted text, uploaded files, or individual values. It supports over a dozen formats and reports confidence levels, so you know whether a decoded timestamp is definitive or ambiguous.

Timeline reconstruction depends on this. Knowing when a URL was generated, when a post was created, or when infrastructure was provisioned can establish sequences that change an investigation's direction.

mark_email_read

Communications Forensics — Email Header Analyzer

Email headers record the full path a message took from sender to recipient, along with authentication results, originating IPs, and server identifiers. That information is useful for phishing investigations, BEC cases, and spoofing detection — but reading raw headers manually is tedious and error-prone.

The Email Header Analyzer parses raw headers or .eml files and presents the routing path visually. It checks SPF, DKIM, and DMARC results to flag spoofing, extracts IPs for cross-referencing with the lookup tool, and exports IOCs for threat intelligence platforms.

Everything runs client-side. The email content never leaves your device, which matters when you are analyzing communications that may be privileged or classified.

How These Tools Compare

There are other ways to do this work. Here is how they stack up.

block

vs. Ad-Supported Tools

Most free IP lookup sites run on advertising revenue. That means tracking scripts, third-party cookies, and data collection on every query. Your investigation targets end up as ad-targeting data. These tools have no ads and no tracking — your queries stay between you and your browser.

terminal

vs. Command-Line Tools

Maltego transforms, Shodan CLI, and Python scripts are powerful but require setup time and terminal fluency. Browser-based tools give you the same core analysis with a visual interface — faster to triage, fewer typos, and accessible to investigators who do not live in a terminal.

business

vs. Enterprise Platforms

Enterprise threat intel platforms cost thousands per year. They add bulk processing and team features, but the individual investigative functions — looking up an IP, searching a username, parsing a header — are available here for free. No procurement paperwork, no license keys.

edit_note

vs. Manual Methods

You can query WHOIS by hand, decode timestamps with a calculator, and read raw email headers line by line. You will also make mistakes doing it. Automated tools produce consistent results in seconds and generate structured output that drops straight into reports.

Best Practices for OSINT Tool Workflows

Five principles that apply regardless of which tools you use.

1
Start with Passive Reconnaissance
Gather information that does not alert the target first. IP lookups, username searches, and public record queries are all passive. Save active probing — port scans, direct contact, login attempts — for after you understand the target's digital footprint and have assessed the legal boundaries.
2
Corroborate Across Multiple Tools
One tool gives you a data point. Multiple tools give you a pattern. If you find an IP in an email header, run it through the IP Lookup tool for geolocation and VPN detection. If you find a username on one platform, search it across all 500+. Compare timestamps from different sources to see whether a timeline holds up or falls apart.
3
Preserve Evidence Immediately
Web content disappears. Posts get deleted, domains change hands, profiles go private. The moment you identify evidence, preserve it. The Forensic OSINT browser extension captures full web pages with hashed integrity verification — the free Community edition handles non-active file captures, and paid plans add forensic-grade captures with digital signatures and court-ready PDF reports.
4
Document Your Methodology
Record what tools you used, what you put in, when you ran each query, and what came out. Without that, your findings are just assertions. Forensic Notes is built for this — log your investigative steps, attach evidence, and maintain a structured record that someone else can follow to reproduce your work or defend it in court months later.
5
Maintain Operational Security
Your investigation activity is itself data. Use browser-based tools to keep your queries off third-party servers. Avoid running OSINT from networks that trace back to your organization. Consider a dedicated browser profile that separates investigation work from personal browsing.

Frequently Asked Questions

Are these OSINT tools really free?

Yes. All you need is a free Forensic OSINT account — no credit card, no trial period. The IP Lookup, Domain to IP Lookup, Username Search, Timestamp Decoder, Email Header Analyzer, and Forensic Image EXIF Reader are all included at no cost.

Do these tools send my data to a server?

It depends on the tool. The Timestamp Decoder, Email Header Analyzer, Forensic Image EXIF Reader, and Domain to IP Lookup are 100% client-side — nothing leaves your device. The Domain to IP Lookup sends DNS queries directly to Cloudflare's DNS-over-HTTPS endpoint. The IP Lookup and Username Search need server-side API calls to fetch external data, but queries are not logged and search history is not stored.

Do I need to create an account?

Yes, a free account is required. Signing up takes under a minute and does not require a credit card. Once registered, you get full access to all six tools plus features like saved reports and investigation notebooks.

Can I use these tools on mobile?

Yes, they work on phones and tablets. That said, email header parsing and multi-timestamp decoding are easier on a larger screen. A laptop or desktop gives you the best experience for those.

Are these tools suitable for legal investigations?

The IP Lookup tool generates digitally signed PDF reports with documented methodology, data sources, and timestamps, which makes them usable in legal proceedings. For admissibility questions specific to your jurisdiction, consult legal counsel.

How is the IP Lookup different from other IP lookup sites?

Most IP lookup sites run on ad revenue and track your queries. This one produces signed PDF reports with VPN/proxy detection, documented data sources, and timestamped lookups — built for investigators, not for serving ads.

What platforms does the Username Search cover?

Over 500 sites, powered by the WhatsMyName project — a community-maintained database of enumeration targets. Results link directly to discovered profiles so you can pivot between platforms quickly.

What timestamp formats does the Timestamp Decoder support?

Unix, Windows FILETIME, Chrome/WebKit, Twitter Snowflake IDs, Google EI parameters, UUID v1, Discord Snowflakes, and others. You can also paste source code or upload files to extract and decode multiple timestamps at once.

Can the Email Header Analyzer detect spoofed emails?

Yes. It checks SPF, DKIM, and DMARC results and flags authentication failures. It also traces the full routing path, highlights suspicious hops, and exports extracted IPs and IOCs for further investigation.

How do browser-based tools protect operational security?

Data processed in your browser never crosses a network, so there is nothing to log, intercept, or subpoena from a third party. Your research targets and query patterns stay on your machine.

Can I use these with my existing OSINT workflow?

Yes. The IP Lookup accepts query parameters for cross-tool linking, the Email Header Analyzer exports IOCs in standard formats, and the Timestamp Decoder output copies directly into timeline reports. They also work alongside the Forensic OSINT browser extension.

What is the difference between these tools and the Forensic OSINT extension?

The free tools are standalone utilities for specific tasks. The browser extension is an evidence capture platform — it preserves web pages, takes annotated screenshots, builds timelines, and manages case notebooks. The extension includes these same tools as part of a larger workflow.

Start Your OSINT Investigation

Trace an IP, search a username, decode a timestamp, or analyze an email header. Pick a tool and get started.

Get Forensic OSINT Extension Explore All Guides